AJM AJM - 3 months ago 29
Java Question

httpservletrequest - create new session / change session Id

I'm maintaining a Java web application.

Looking into the login code it gets an HttpSession out of HttpServletRequest via the getSession() method of HttpServletRequest. (It uses some values in the session for authentication purposes)

However I'm worried about session fixation attacks so after I have used the initial session I want to either start a new session or change the session id. Is this possible?

Answer

The Servlet 3.0 API doesn't allow you to change the session id on an existing session. Typically, to protect against session fixation, you'll want to just create a new one and invalidate the old one as well.

You can invalidate a session like this

request.getSession(false).invalidate();

and then create a new session with

getSession(true) (getSession() should work to)

Obviously, if you have an data in the session that you want to persist, you'll need to copy it from the first session to the second session.

Note, for session fixation protection, it's commonly considered okay to just do this on the authentication request. But a higher level of security involves a tossing the old session and making a new session for each and every request.

Comments